I was talking to a friend about passwords and I came to think of this:

The always epic XKCD is of course right, choosing four random words as your password is better than choosing a series of numbers and letters. Now the comic makes it a little bit too geekish maybe, talking about bits of entropy and whatnot. But the way I always learned to calculate brute-force strength is by taking the “degrees of freedom” or in other words, how many possibilities there are, times the number of times you have that possibility, i.e. how many instances of this thing you have. So if you have a 4 digit pin-code, there are 10 possibilities for each number, 0-9, and you have 4 of them. So you have to go through 10 * 10 * 10 * 10 or 10^4 or (degress of freedom)^(number of instances).

I’m pretty sure that’s right, but correct me if I’m wrong, please.

Assuming it’s correct, choosing a password out of just letters, big and small, lets you have 54 degrees of freedom. 27 letters of the alphabet * 2.

If we include numbers and some signs, we can make alphanumeric passwords that are stronger. Using for example 0-9 a-Z and !“#?%&/()=?_-, we get 77 degrees of freedom.

But let’s assume that a word, is one thing. It’s not a number of letters, it’s _one_ thing. There are about 20,000 common words, and most dictionary-attack dictionaries contain maybe 50,000 words, but let’s be on the modest side and assume 20,000 words exist that you are allowed to choose from. That means in a passwords based on only words, you have 20,000 degrees of freedom.

So let’s plot the strength of a password to the number of instances of the type that the password contains.

The horizontal line I’ve put in is at four words. So the way to read this graph is by following that line. A word-based password has the same strength as an alphanumeric password of length 9 or the same as a letter based password of length 10.

It’s interesting to note that alphanumeric and just plain old letters are very, very similar in strength. Adding a 0 at the end won’t make you that much harder to break.

But having one common word as your password (like using ‘password’ as your password) is about the same strength as having just 3 random letters.

I’m pretty sure I can remember up to 6 random words strung together, but I’m absolutely sure I can’t remember about 16 random alphanumeric characters, which is of the same strength.

So when you’re choosing your next password. Make it 4 random words and you’re pretty much all set security-wise. Though make sure that all-together the four words are longer than 10 characters, or you can’t brag that our password is safer than those other peoples password :P

In the end it’s all about remembering them right? And remembering 4 words is pretty damn easy.

Click here if you’re interested in the few lines of code for the graph.